Up to 70 percent of cases start with employee heist

Below:

Next story in Security

A soon-to-be-released study reveals what some identity theft experts have hinted at for years -- the crime is largely the work of insiders. In a study of more then 1,000 identity theft arrests in the United States, Michigan State professor Judith Collins has discovered that perhaps as much as 70 percent of all identity theft starts with theft of personal data from a company by an employee.

"It used to be that shrinkage (theft) was the biggest cost to employers after payroll and healthcare. Today what we have to think about, in the information age, is employees stealing information," Collins said. "Why steal merchandise when they can steal data and get money?"

Collins, director of an identity theft program at Michigan State, randomly selected 1,037 cases from around the country, then painstakingly traced each incident to its origins. In 50 percent of the cases, the victim's identity was originally pilfered by a company employee. In another 20 percent of cases, evidence strongly suggested dirty play by an insider.

Her results contradict the conventional vision of identity thieves hacking Web sites or digging through dumpsters. But some experts said the results could have been anticipated.

Video: Inside ID theft
"You don't have 10 million victims a year by people going through the trash," said Joseph Ansenelli, an executive at information security firm Vontu Inc.

Perhaps the greatest surprise: a large number of the identities were stolen not by an employee -- but by the business owner.

Linda Foley, executive director of the San Diego-based Identity Theft Resource Center, actually began the non-profit agency after her identity was stolen by her employer four years ago. She said Collins' findings on insider theft is consistent with reports she hears from victims who call her hotline.

"It only makes sense. A majority of the information is in the hands of corporate America," she said.

'Crime of opportunity'
Most of the crimes began at health care or financial companies, Collins found in her study. In most cases, temporary workers or employees stealing data from other departments were to blame. That suggests companies need to tighten up data security practices, she said.

Rob Douglas, an identity theft consultant in the banking industry, said Collins' results weren't a complete surprise. About two years ago, bank regulators issued a string of warnings about insiders committing crimes at banks. One such notice, published by the Office of the Comptroller of the Currency at the Treasury Department, warned that organized crime rings were placing members in low-level teller jobs at banks in order to commit identity theft and other crimes.

"There is always a lot of concern about hacking," Douglas said. "But the demonstrable number of mass hacks pales in comparison to the easy old method of insider theft. It's a crime of opportunity. The information is right there. I always tell banks I talk to, information equals cash."

Collins' study, which will be published later this year, comes at the same time federal lawmakers are beginning to focus attention on the insider ID theft issue. The "Identity Theft Penalty Enhancement Act," now working its way through the House of Representatives, includes additional jail time for criminals who steal data on the job.

Rep. John Carter, R-Texas, who advocated for the insider theft provision, said the idea was generated largely from an infamous incident in Texas last year, when a student employee at the University of Texas allegedly stole 55,000 Social Security Numbers.

"It's an extra two years if you are an insider, and steal data, and that data is used for a crime. We compare it to aiding and abetting a crime," Carter said. "We hope the word will get out, and this will act as a deterrent."

Ansenelli called the legislation "a step in the right direction." But he advocates for a national standard for all firms that store personal data. Carter's legislation has no provisions for corporate liability when employees steal data.

Collins' findings also included surprising insights into the perpetrators of identity theft. Unlike most crimes, about half the criminals in her study were women -- suggesting identity theft is a new kind of equal opportunity crime.

"This crime is much different than any other crime," Collins said. "Men tend to be more risk-takers, and committing crime is high risk. But ID theft is low risk. For example, credit card fraud can be committed online. ... So we're probably going to continue to see as many women as men commit the crime."